Rick Stevens wrote:
Also, both the old syslogd and the newer rsyslogd have to have the "-r" option specified for them to actually listen to the network (the "-r" can also have a port number appended, e.g. "-r 514"). Not sure about ng-syslog, but I suspect the same is true.
On Red Hattish machines, options are passed to the syslog daemon by values stuffed into the "SYSLOGD_OPTIONS" line of either the "/etc/sysconfig/syslog" or "/etc/sysconfig/rsyslog" file (depending on which syslog daemon you're running. By default, you'll find
SYSLOGD_OPTIONS="-c 3" (/etc/sysconfig/rsyslog) SYSLOGD_OPTIONS="-m 0" (/etc/sysconfig/syslog)
Prepend that with "-r" (e.g. SYSLOGD_OPTIONS="-r -c 3") and then do a "service syslog restart". It should start listening to the network.
Thanks very much. It seems very complicated.
I wonder if I have taken the right steps?
1) I've uncommented and edited the line *.* @@192.168.2.2:514 in /etc/rsyslog.conf on the client laptop ("mary").
2) I see that the remote machine 192.168.2.2 ("helen"), which is running under Centos-5.2, is actually running syslog rather than rsyslog, and already has SYSLOGD_OPTIONS="-m 0 -r"
3) I've run sudo service rsyslog restart on mary, and . sudo service syslog restart on helen for good measure.
4) I'm running shorewall on helen, so I've added Syslog/ACCEPT loc $FW to /etc/shorewall/rules on helen.
The net effect of all this seems to be that kernel messages are no longer being sent to /var/log/messages on mary, but they are not appearing on helen.
I notice that sudo telnet helen 514 fails. Does telnet only test tcp and not udp?
I tried sudo nmap -sU -F 192.168.2.2 but this never seems to return.
[Incidentally, I tried adding -r to /etc/sysconfig/rsyslog on mary, but she didn't like it, and said the -r option was ignored.]